> On Feb 27, 2015, at 10:08 AM, Nadim Kobeissi <[email protected]> wrote: > > This is by no means a bad idea. But considering the server as part of the > adversarial model, this proposition doesn't seem to help much, since: > > Anyone with access to the server can simply hoover up all the > passphrase-encrypted private keys, and then try to crack them in the same way > by searching through the space of possible passphrases. This is why it's > better, I think, to focus on ensuring that the passphrase space search > *itself* is exceedingly expensive in the first place, hence the strict > passphrase requirements and the strong scrypt derivation rounds.
I’m not sure how publishing passphrase-encrypted private keys to the world (in the public key form of “brain keys”) can be *better* than restricting access to encrypted random private keys to a server that is already privileged with access to communications metadata. As long as the algorithm and passphrase entropy is exactly the same for both, storing encrypted random private keys on a server somewhere is *strictly better* than using the equivalent “brain key”. Am I missing something? Jonathan _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
